Tuesday, Mar 22, 2022
BY: Team Nuspire
On Tuesday, March 22, 2022, threat actor group Lapsus$ posted screenshots in their Telegram channel of what they claim to be Okta customer data.
Who is Okta?
Okta is a leading provider of authentication services and Identity and Access Management (IAM) solutions. They’re used by organizations worldwide as a single sign-on (SSO) provider, allowing employees to securely access a company’s internal systems, such as email accounts, calendars, applications and more.
When did the breach occur?
Screenshots within the Telegram channel show a timestamp on the system of January 21, 2022, which may indicate this was the date of the breach. Okta’s CEO Todd McKinnon confirms that Okta detected “an attempt to compromise the account of a third-party customer support engineer” in January. Furthermore, he states, “We believe the screenshots shared online are connected to this January event.”
Who is Lapsus$?
Lapsus$ has previously claimed responsibility for the leaked proprietary data of companies such as NVIDIA and Samsung. Unlike ransomware groups, Lapsus$ does not encrypt data once they gain access. Instead, they exfiltrate the data and threaten to publish what they’ve gathered if demands are not met. The group began by focusing on Latin American victims and some security researchers suspect the group is based in Latin America.
What is Okta’s response?
Okta’s public statement says they remain fully operational. When they detected an unsuccessful attempt to compromise the account of the third-party engineer, they “alerted the third-party provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account.” They are actively continuing their investigation, including identifying and contacting those customers that may have been impacted. Okta says there is no impact to Auth0 customers, HIPAA and FedRAMP customers.
What is Nuspire doing?
As an Okta customer, Nuspire has implemented all of the below recommendations, including rotating passwords, certificates and API keys related to our Okta infrastructure. Nuspire is also actively threat hunting for signs of suspicious Okta activity internally and in our client environments.
What should I do?
Nuspire recommends you take the following actions:
- Review your Okta audit logs for suspicious activity focused on superuser/admin Okta accounts.
- Rotate passwords for high-privileged accounts.
- Check for privileged accounts created around the time of the suspected breach. (January 21, 2022).